From psirt@cisco.com Wed Oct 3 10:53:27 2001
From: Cisco Systems Product Security Incident Response Team
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Date: Wed, 03 Oct 2001 08:30:00 -0700 (PDT)
Subject: Cisco Security Advisory: Cisco PIX Firewall Authentication Denial of Service Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Cisco PIX Firewall Authentication Denial of Service Vulnerability
Revision 1.0
For Public Release 2001 October 03 08:00 (UTC -0800)
_________________________________________________________________
Summary
The Cisco Secure PIX Firewall AAA authentication feature, introduced
in version 4.0, is vulnerable to a Denial of Service (DoS) attack
initiated by authenticating users on the system. This vulnerability
affects specific configurations and has been resolved in released
versions of the PIX Firewall.
This vulnerability has been assigned Cisco bug ID CSCdt92339.
The complete notice will be available at
http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml.
Affected Products
All users of Cisco Secure PIX Firewalls with software versions 4.0 up
to and including 4.4(8), 5.0(3), 5.1(3), 5.2(2), and 5.3(1) with
configurations using AAA authentication are at risk.
Affected configurations will have configuration lines that begin:
pixfirewall# aaa authentication ...
Configurations not including aaa authentication are not affected. PIX
Firewall software versions 6.0(1) and later are not affected.
The IOS Firewall feature set is not affected by the above defect.
No other Cisco products are affected by this defect.
Details
When AAA authentication services are configured on the Cisco Secure
PIX Firewall, it is possible for a single source address to consume
all of the authentication resources, preventing other legitimate users
from authenticating. This is a denial of service strictly for the
authentication resources; other established traffic continues
unaffected, and only new authentication requests are prevented.
This vulnerability has been resolved in the recent versions of the PIX
Firewall by creating a maximum limit of three open authentication
requests per user.
Cisco Bug ID CSCdv09731 amends this limitation to allow system
administrators to modify this limit, depending on their network
requirements.
Impact
This issue causes a PIX Firewall to be vulnerable to a DoS attack in
which the availability of the unit is degraded. This does not result
in a loss in confidentiality or in loss of integrity of the traffic
being filtered.
Software Versions and Fixes
- ----------------------------------------------------------------------------
Version Affected | Interim Release | Fixed Regular Release (available now)
| |
| Fix carries | Fix carries forward into all
| forward into all | later versions
| later versions |
- ----------------------------------------------------------------------------
| |
All versions of | | Upgrade to 5.2(6)
Cisco Secure PIX | |
up to and | |
including | |
version 4.4(8) | |
| |
- ----------------------------------------------------------------------------
| |
Version 5.0 and | | Upgrade to 5.2(6)
Version 5.1 | |
| |
- ----------------------------------------------------------------------------
| |
Version 5.2(2) | 5.2(5.204) | 5.2.(6)
| |
- ----------------------------------------------------------------------------
| |
Version 5.3.x | 5.3(1.203) | 5.3(2)
up to and | |
including | |
version 5.3(1) | |
| |
- ----------------------------------------------------------------------------
Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability
for all affected customers. Customers with service contracts may
upgrade to any software version. Customers without contracts may
upgrade only within a single row of the table above, except that any
available fixed software will be provided to any customer who can use
it and for whom the standard fixed software is not yet available. As
always, customers may install only the feature sets they have
purchased.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Customers whose Cisco products are
provided or maintained through prior or existing agreement with
third-party support organizations such as Cisco Partners, authorized
resellers, or service providers should contact that support
organization for assistance with the upgrade, which should be free of
charge.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party
vendors but are unsuccessful at obtaining fixed software through their
point of sale, should get their upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including instructions and e-mail
addresses for use in various languages.
Give the URL of this notice as evidence of your entitlement to a
free upgrade. Free upgrades for non-contract customers must be
requested through the TAC. Please do not contact either
"psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds
There is no known workaround for all authentication types.
If authentication is configured in conjunction with the Virtual HTTP
feature, a limit of three concurrent authentication attempts per user
exists, which could prevent this denial of service for HTTP traffic
only. This would have no effect on authentication attempts for FTP or
Telnet if the PIX is configured for authentication of those services.
Exploitation and Public Announcements
This vulnerability has been publicly discussed on the Bugtraq list
maintained by SecurityFocus at
http://www.securityfocus.com/archive/1/174577.
Cisco has no evidence or knowledge of exploitation of this
vulnerability; this was discovered when a program on a customer site
utilized all authentication resources.
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked
to the best of our ability. Cisco does not anticipate issuing updated
versions of this notice unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this notice.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml.
In addition to Worldwide Web posting, a text version of this
notice is clear-signed with the Cisco PSIRT PGP key and is posted to
the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* firewalls@lists.gnac.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 For public release 2001 October 03 08:00 (UTC -0800)
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco Security Advisories are available at
http://www.cisco.com/go/psirt.
_________________________________________________________________
This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
_________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBO7sslA/VLJ+budTTAQEU1gf/VsgQCFDrZb09DA3ZPzHzJucpUX+LcAtC
bzLir7V2E1olfv8iqX1M1YDC3a3xQLb9LtwcC036exGnfZ/lqQTSP4Lln0RVRUiJ
igi/sbVqTRkuEOIRMAO9ocuIreH+pMjKcg96SXRfWY53+CF9qnTlp08ma7Jh5/xJ
92m8bel+jhN3dqu2P2f698UvY/mUcmE4vBDnQQJRbbjtk5XED+XIoSdx1FivWgrm
Y+qOlKXPMMNxbrsANML8XgLwtJtXJZMvQxVIrvHdrA7HjlK3o/iR60JMU5n+pD6y
iDXfJxNUf47oN+tWmEFIL4mL1p+yARjwjaz4Rz3YW1QBVy+3beYgMw==
=UqcC
-----END PGP SIGNATURE-----